# Copy this file to /etc/certidude/template.ovpn and customize gateway IP addresses

# Run as client
client # tls-client; pull
nobind

# OpenVPN gateway(s), uncomment remote-random to load balance
comp-lzo
proto udp
{% if servers %}
remote-random
{% for server in servers %}
remote {{ server }} 51900
{% endfor %}
{% else %}
remote 1.2.3.4 1194
{% endif %}

# Virtual network interface settings
dev tun
persist-tun

# Customize crypto settings
;tls-version-min 1.2
;tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
;cipher AES-256-CBC
;auth SHA384

# Check that server presented certificate has TLS Server flag present
remote-cert-tls server

# X.509 business
persist-key
<ca>
{{ca}}
</ca>
<key>
{{key}}
</key>
<cert>
{{cert}}
</cert>

# Revocation list
# Tunnelblick doens't handle inlined CRL
# hard to update as well
;<crl-verify>
;</crl-verify>

# Pre-shared key for extra layer of security
;<ta>
;</ta>